How I found XSS on Amazon?

I recently started with “Bug Bounty” after hearing and reading so much about it. I felt like it might be worth the efforts to actually try it out & guess what? It’s absolutely is! As a beginner to anyone whose reading this post please always think about the impact “Imagine you are the bad guy and the evaluate your findings. Before running to submissions”.

Coming back to the topic XSS on amazon. So as always I was trying to “Hunt” for bugs on some program on some website and feeling absolutely drained so I started reading some posts about XSS and thought why not try it out myself.

After playing around some websites I came across “developer.amazon.com”.so I created my account with “<script>alert()</script>” as you might have expected (*Beginner*). After initial futile efforts I started looking at the pattern of request and noticed that name for a feature called “Security Profile” is being directly thrown in the source code and can be elevated to XSS.

So I created the security profile with bunch of payload in place of names.

This is how the profiles looked like

So once the payload is placed I wanted to trigger it so I ended up calling the “Dash Services” which I came to know is the place to trigger after looking at the request-response pattern!

and I hit “Begin”.

Document.Cookie

and my payload executed. So this is not the moment of joy as this is known as “Self-XSS” meaning you can only inject payload on yourself and can’t harm anyone else with it. I ended up escalating this issue to logout CSRF which indeed ended up as a valid issue.

Lessons :-

Every XSS isn’t XSS that’s a game winner. If you find a vulnerability that is limited always try to escalate it to something more severe.

Bug bounty isn’t easy and takes time learn through the process don’t “Quit”.

For the love of god listen to people more experienced and don’t act like an idiot. Read blogs/posts/write ups to get started and learn new methods!

Have Patience! Lots of it.

Time Line :-

Reported on 17th July.

Issue Acknowledged and Triaged on 18th July.

Fixed 24th July.

Amazon didn’t offer any momentary reward because they don’t have the policy for the bounties.

Before I end this post I would really like to thank @Karel_Origin and Robert Smith for helping me out with my journey to bug bounty.